From 62cf6b2e7f1a4e50bb55bef9b5bea34d4f32e2de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 7 Nov 2023 15:17:10 +0100 Subject: [PATCH 1/2] Deprecate AES algorithm for DNS cookies The AES algorithm for DNS cookies was being kept for legacy reasons, and it can be safely removed in the next major release. Mark is as deprecated, so the `named-checkconf` prints a warning when in use. (cherry picked from commit 67d14b0ee541b5bacf7c295b4231a49ae435941c) --- lib/bind9/check.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 3a78a17a07..ee64543ab8 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1457,6 +1457,10 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, (void)cfg_map_get(options, "cookie-algorithm", &obj); if (obj != NULL) { ccalg = cfg_obj_asstring(obj); + if (strcasecmp(ccalg, "aes") == 0) { + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "cookie-algorithm 'aes' is deprecated"); + } } obj = NULL; From f2a2ec92b90c0dbe6374545c17f35e4d8c21f691 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 7 Nov 2023 14:44:44 +0100 Subject: [PATCH 2/2] Add CHANGES and release note for [GL #4421] (cherry picked from commit 2a3b3beaf1db22c5f11490c23874eb0ec00ad836) --- CHANGES | 2 ++ doc/notes/notes-current.rst | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 750369b82b..566c947e0c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +6282. [func] Deprecate AES-based DNS cookies. [GL #4421] + --- 9.16.45 released --- 6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index af4604380a..d69151dfe3 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -25,7 +25,8 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- None. +- The support for AES algorithm for DNS cookies has been deprecated. + :gl:`#4421` Feature Changes ~~~~~~~~~~~~~~~